diff --git a/.github/workflows/deploy-development.yml b/.github/workflows/build-development.yml similarity index 70% rename from .github/workflows/deploy-development.yml rename to .github/workflows/build-development.yml index c7a98cc..93e9c43 100644 --- a/.github/workflows/deploy-development.yml +++ b/.github/workflows/build-development.yml @@ -1,14 +1,13 @@ name: Build, Test and Push - Development on: - workflow_dispatch: push: branches: - devops_cicd permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + id-token: write + contents: read jobs: build_test_push: @@ -85,3 +84,35 @@ jobs: # platforms: linux/amd64,linux/arm64 push: true tags: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} + + trigger_deploy: + runs-on: ubuntu-latest + needs: [build_test_push] + steps: + - name: Generate App Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.DEPLOY_APP_ID }} + private-key: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "appdeploy" + + - name: Trigger Deploy Workflow + uses: actions/github-script@v7 + with: + github-token: ${{ steps.app-token.outputs.token }} + retries: 3 + retry-exempt-status-codes: 204 + script: | + github.rest.actions.createWorkflowDispatch({ + owner: 'aodn', + repo: 'appdeploy', + workflow_id: 'deploy.yml', + ref: 'main', + inputs: { + app_name: 'geonetwork4', + environment: 'development', + image_tag: '${{ needs.build_test_push.outputs.image_digest }}', + } + }) diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/build-production.yml similarity index 50% rename from .github/workflows/deploy-production.yml rename to .github/workflows/build-production.yml index 4764c9e..11c1df2 100644 --- a/.github/workflows/deploy-production.yml +++ b/.github/workflows/build-production.yml @@ -1,17 +1,16 @@ name: Deploy Production on: - release: - types: - - published - workflow_dispatch: + push: + tags: + - prod permissions: id-token: write contents: read jobs: - build_push: + build_test_push: runs-on: ubuntu-latest environment: production outputs: @@ -26,6 +25,13 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 + - name: Setup Docker Structure Test + run: > + curl -LO + https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 + && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 + /usr/local/bin/container-structure-test + - name: Set up JDK 17 uses: actions/setup-java@v3 with: @@ -36,6 +42,17 @@ jobs: - name: Build with Maven run: mvn -B package --file pom.xml + - name: Build Docker Image + uses: docker/build-push-action@v5 + with: + context: . + load: true + tags: ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} + + - name: Test Docker Image + run: | + container-structure-test test --image ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} --config tests/config.yaml + - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -76,64 +93,34 @@ jobs: | jq -r '.imageDetails[].imageDigest') echo "image_digest=$image_digest" >> $GITHUB_OUTPUT - production_deploy: + trigger_deploy: runs-on: ubuntu-latest - environment: production - env: - tf_version: '1.5.7' - tg_version: '0.54.0' - tg_dir: './deploy/tg' - needs: [build_push] + needs: [build_test_push] steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 + - name: Generate App Token + uses: actions/create-github-app-token@v1 + id: app-token with: - audience: sts.amazonaws.com - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_ROLE_ARN }} - - - name: Push container environment file to S3 - run: aws s3 sync . $bucket_path --exclude "*" --include "$include.env" - working-directory: ./deploy/container - env: - bucket_path: ${{ vars.CONFIG_BUCKET_PATH }} - include: ${{ vars.ENVIRONMENT }} - - - name: Expose github environment as shell variables - env: - SECRETS_CONTEXT: ${{ toJson(secrets) }} - VARS_CONTEXT: ${{ toJson(vars) }} - run: | - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; } - echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV - echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV + app-id: ${{ vars.DEPLOY_APP_ID }} + private-key: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "appdeploy" - - name: Terragrunt Plan - uses: gruntwork-io/terragrunt-action@v2 - with: - tf_version: ${{ env.tf_version }} - tg_version: ${{ env.tg_version }} - tg_dir: ${{ env.tg_dir }} - tg_command: 'run-all plan -out=tf.plan' - env: - TF_INPUT: 0 - TF_IN_AUTOMATION: true - # get the image digest from the build job with optional override from vars context - TF_VAR_image: ${{ needs.build_push.outputs.image_digest }} - - - name: Terragrunt Apply - uses: gruntwork-io/terragrunt-action@v2 + - name: Trigger Deploy Workflow + uses: actions/github-script@v7 with: - tf_version: ${{ env.tf_version }} - tg_version: ${{ env.tg_version }} - tg_dir: ${{ env.tg_dir }} - tg_command: '--terragrunt-non-interactive --terragrunt-log-level info run-all apply -auto-approve tf.plan' - env: - TF_INPUT: 0 - TF_IN_AUTOMATION: true - # get the image digest from the build job with optional override from vars context - TF_VAR_image: ${{ needs.build_push.outputs.image_digest }} + github-token: ${{ steps.app-token.outputs.token }} + retries: 3 + retry-exempt-status-codes: 204 + script: | + github.rest.actions.createWorkflowDispatch({ + owner: 'aodn', + repo: 'appdeploy', + workflow_id: 'deploy.yml', + ref: 'main', + inputs: { + app_name: 'geonetwork4', + environment: 'production', + image_tag: '${{ needs.build_test_push.outputs.image_digest }}', + } + }) diff --git a/.github/workflows/build-staging.yml b/.github/workflows/build-staging.yml new file mode 100644 index 0000000..b12069d --- /dev/null +++ b/.github/workflows/build-staging.yml @@ -0,0 +1,108 @@ +name: Deploy Staging + +on: + push: + branches: + - master + +permissions: + id-token: write + contents: read + +jobs: + build_test_push: + runs-on: ubuntu-latest + environment: staging + outputs: + image_digest: ${{ steps.build_and_push.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Setup Docker Structure Test + run: > + curl -LO + https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 + && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 + /usr/local/bin/container-structure-test + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + distribution: 'temurin' + java-version: '17' + cache: 'maven' + + - name: Build with Maven + run: mvn -B package --file pom.xml + + - name: Build Docker Image + uses: docker/build-push-action@v5 + with: + context: . + load: true + tags: ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} + + - name: Test Docker Image + run: | + container-structure-test test --image ${{ vars.ECR_REPOSITORY }}:${{ steps.set_image_tag.outputs.image_tag }} --config tests/config.yaml + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + audience: sts.amazonaws.com + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + + - name: Login to ECR + uses: docker/login-action@v3 + with: + registry: ${{ vars.ECR_REGISTRY }} + + - name: Build and Push Docker Image + id: build_and_push + uses: docker/build-push-action@v5 + with: + context: . +# Only building for AMD64 for now +# platforms: linux/amd64,linux/arm64 + push: true + tags: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:latest + + trigger_deploy: + runs-on: ubuntu-latest + needs: [build_test_push] + steps: + - name: Generate App Token + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.DEPLOY_APP_ID }} + private-key: ${{ secrets.DEPLOY_APP_PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "appdeploy" + + - name: Trigger Deploy Workflow + uses: actions/github-script@v7 + with: + github-token: ${{ steps.app-token.outputs.token }} + retries: 3 + retry-exempt-status-codes: 204 + script: | + github.rest.actions.createWorkflowDispatch({ + owner: 'aodn', + repo: 'appdeploy', + workflow_id: 'deploy.yml', + ref: 'main', + inputs: { + app_name: 'geonetwork4', + environment: 'staging', + image_tag: '${{ needs.build_test_push.outputs.image_digest }}', + } + }) diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml deleted file mode 100644 index 5c77011..0000000 --- a/.github/workflows/deploy-staging.yml +++ /dev/null @@ -1,121 +0,0 @@ -name: Deploy Staging - -on: - push: - branches: - - master - workflow_dispatch: - -permissions: - id-token: write - contents: read - -jobs: - build_push: - runs-on: ubuntu-latest - environment: staging - outputs: - image_digest: ${{ steps.build_and_push.outputs.digest }} - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Set up JDK 17 - uses: actions/setup-java@v3 - with: - distribution: 'temurin' - java-version: '17' - cache: 'maven' - - - name: Build with Maven - run: mvn -B package --file pom.xml - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - audience: sts.amazonaws.com - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_ROLE_ARN }} - - - name: Login to ECR - uses: docker/login-action@v3 - with: - registry: ${{ vars.ECR_REGISTRY }} - - - name: Build and Push Docker Image - id: build_and_push - uses: docker/build-push-action@v5 - with: - context: . -# Only building for AMD64 for now -# platforms: linux/amd64,linux/arm64 - push: true - tags: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:latest - - staging_deploy: - runs-on: ubuntu-latest - environment: staging - env: - tf_version: '1.5.7' - tg_version: '0.54.0' - tg_dir: './deploy/tg' - needs: build_push - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - audience: sts.amazonaws.com - aws-region: ${{ vars.AWS_REGION }} - role-to-assume: ${{ secrets.AWS_ROLE_ARN }} - - - name: Push container environment file to S3 - run: aws s3 sync . $bucket_path --exclude "*" --include "$include.env" - working-directory: ./deploy/container - env: - bucket_path: ${{ vars.CONFIG_BUCKET_PATH }} - include: ${{ vars.ENVIRONMENT }} - - - name: Expose github environment as shell variables - env: - SECRETS_CONTEXT: ${{ toJson(secrets) }} - VARS_CONTEXT: ${{ toJson(vars) }} - run: | - EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) - to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; } - echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV - echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV - - - name: Terragrunt Plan - uses: gruntwork-io/terragrunt-action@v2 - with: - tf_version: ${{ env.tf_version }} - tg_version: ${{ env.tg_version }} - tg_dir: ${{ env.tg_dir }} - tg_command: 'run-all plan -out=tf.plan' - env: - TF_INPUT: 0 - TF_IN_AUTOMATION: true - # get the image digest from the build job with optional override from vars context - TF_VAR_image: ${{ needs.build_push.outputs.image_digest }} - - - name: Terragrunt Apply - uses: gruntwork-io/terragrunt-action@v2 - with: - tf_version: ${{ env.tf_version }} - tg_version: ${{ env.tg_version }} - tg_dir: ${{ env.tg_dir }} - tg_command: '--terragrunt-non-interactive --terragrunt-log-level info run-all apply -auto-approve tf.plan' - env: - TF_INPUT: 0 - TF_IN_AUTOMATION: true - # get the image digest from the build job with optional override from vars context - TF_VAR_image: ${{ needs.build_push.outputs.image_digest }}